fix(mcp-proxy): harden approval server threading

oleg-bk · oleg-bk · commit ce430ecda329 · 2026-05-11T12:18:49.000+02:00
Use daemon request threads for the loopback approval server, validate Content-Length before reading POST bodies, and apply a per-request socket timeout for slow local clients.

Document the one-proxy-per-IDE deployment pattern and add harness-level multi-instance tests for distinct approval ports, independent evidence stores, and decision isolation. This intentionally avoids single-proxy multi-IDE routing, which is out of v0.1 scope.

Implemented with assistance from Codex.
diff --git a/agentveil_mcp_proxy/approval/server.py b/agentveil_mcp_proxy/approval/server.py
@@ -15,6 +15,8 @@
 from urllib.parse import parse_qs
 
 
+MAX_POST_BODY_BYTES = 8192
+REQUEST_SOCKET_TIMEOUT_SECONDS = 5.0
 SECURITY_HEADERS = {
     "Referrer-Policy": "no-referrer",
     "Cache-Control": "no-store, no-cache, must-revalidate, max-age=0",
@@ -29,6 +31,10 @@
 COOKIE_NAME = "avp_approval_session"
 
 
+class _DaemonThreadingHTTPServer(ThreadingHTTPServer):
+    daemon_threads = True
+
+
 class ApprovalServerError(RuntimeError):
     """Raised when the local approval server cannot operate safely."""
 
@@ -84,7 +90,7 @@ def __init__(self, *, host: str = "127.0.0.1", port: int = 0):
         self._decisions: dict[str, ApprovalServerDecision] = {}
         self._decision_events: dict[str, threading.Event] = {}
         self._terminal_requests: set[str] = set()
-        self._httpd: ThreadingHTTPServer | None = None
+        self._httpd: _DaemonThreadingHTTPServer | None = None
         self._thread: threading.Thread | None = None
 
     @property
@@ -118,7 +124,7 @@ def start(self) -> None:
         class Handler(_ApprovalRequestHandler):
             server_owner = owner
 
-        self._httpd = ThreadingHTTPServer((self.host, self.port), Handler)
+        self._httpd = _DaemonThreadingHTTPServer((self.host, self.port), Handler)
         self.host, self.port = self._httpd.server_address[:2]
         self._thread = threading.Thread(
             target=self._httpd.serve_forever,
@@ -244,6 +250,10 @@ def _valid_cookie(self, raw_cookie: str | None) -> bool:
 class _ApprovalRequestHandler(BaseHTTPRequestHandler):
     server_owner: ApprovalServer
 
+    def setup(self) -> None:
+        super().setup()
+        self.request.settimeout(REQUEST_SOCKET_TIMEOUT_SECONDS)
+
     def log_message(self, _format: str, *_args: Any) -> None:
         return
 
@@ -283,8 +293,16 @@ def do_POST(self) -> None:
         if not self.server_owner._valid_cookie(self.headers.get("Cookie")):
             self._send_text(HTTPStatus.FORBIDDEN, "forbidden")
             return
-        length = int(self.headers.get("Content-Length", "0") or "0")
-        body = self.rfile.read(min(length, 8192)).decode("utf-8", errors="replace")
+        raw_length = self.headers.get("Content-Length", "0") or "0"
+        try:
+            length = int(raw_length)
+        except ValueError:
+            self._send_text(HTTPStatus.BAD_REQUEST, "invalid content length")
+            return
+        if length < 0 or length > MAX_POST_BODY_BYTES:
+            self._send_text(HTTPStatus.BAD_REQUEST, "invalid content length")
+            return
+        body = self.rfile.read(length).decode("utf-8", errors="replace")
         form = parse_qs(body, keep_blank_values=True)
         csrf = (form.get("csrf_token") or [""])[0]
         if not hmac.compare_digest(csrf, prompt.csrf_token):
diff --git a/docs/MCP_PROXY_OPERATIONS.md b/docs/MCP_PROXY_OPERATIONS.md
@@ -115,6 +115,37 @@ The proxy writes the pending approval record before it renders the approval page
 or sends notifications. Approval, denial, and timeout decisions are written back
 to local evidence before the proxy acts on them.
 
+## Multi-IDE Deployment
+
+For developers running multiple LLM IDE clients, the canonical pattern is one
+MCP proxy per IDE.
+
+Each `agentveil-mcp-proxy run` invocation creates an independent process with:
+
+- A distinct approval server port, bound to `127.0.0.1` on a random unused port
+- An independent evidence database, scoped by `--home` or `AVP_HOME`
+- An independent Runtime Gate session, identity, and control grant
+- Independent circuit breaker state
+
+This process-level isolation avoids shared approval state between proxy
+instances on the same host. Each IDE's MCP server configuration should point at
+its own proxy command.
+
+Example: two IDEs on one machine
+
+```bash
+AVP_HOME="$HOME/.avp-claude" agentveil-mcp-proxy run
+AVP_HOME="$HOME/.avp-cursor" agentveil-mcp-proxy run
+```
+
+Each proxy has its own home tree containing its identity, control grant, and
+`evidence.sqlite`. Decisions in one proxy do not authorize or deny requests in
+the other.
+
+For centralized policy enforcement across multiple developers, enforce policy
+in the AVP backend rather than multiplexing multiple IDE clients through one
+local proxy process.
+
 ## Headless Approval Mode
 
 For CI or scheduled jobs, run with deny-by-default headless behavior:
diff --git a/tests/test_mcp_proxy_approval.py b/tests/test_mcp_proxy_approval.py
@@ -9,14 +9,17 @@
 from pathlib import Path
 import re
 import signal
+import socket
 import sys
 import threading
 import time
 from typing import Any
+from urllib.parse import urlencode, urlsplit
 
 import httpx
 import pytest
 
+import agentveil_mcp_proxy.approval.server as approval_server_module
 import agentveil_mcp_proxy.cli as proxy_cli
 from agentveil_mcp_proxy.approval import (
     ApprovalFlowError,
@@ -182,6 +185,14 @@ def _get_csrf(client: httpx.Client, url: str) -> str:
     return match.group(1)
 
 
+def _get_csrf_and_cookie(client: httpx.Client, url: str) -> tuple[str, str]:
+    response = client.get(url)
+    assert response.status_code == 200
+    match = TOKEN_RE.search(response.text)
+    assert match
+    return match.group(1), response.headers["Set-Cookie"].split(";", 1)[0]
+
+
 def _post_decision(client: httpx.Client, url: str, *, decision: str, csrf: str, scope: str = "exact"):
     return client.post(url, data={
         "decision": decision,
@@ -225,6 +236,48 @@ def _request_and_post(
     return result_box["outcome"], prompt, response
 
 
+def _raw_http_request(host: str, port: int, request: str, *, timeout: float = 2.0) -> bytes:
+    with socket.create_connection((host, port), timeout=timeout) as sock:
+        sock.settimeout(timeout)
+        sock.sendall(request.encode("utf-8"))
+        chunks = []
+        while True:
+            chunk = sock.recv(4096)
+            if not chunk:
+                break
+            chunks.append(chunk)
+    return b"".join(chunks)
+
+
+def _raw_post(
+    server: ApprovalServer,
+    url: str,
+    *,
+    content_length: str,
+    body: str = "",
+    cookie: str | None = None,
+) -> bytes:
+    path = urlsplit(url).path
+    headers = [
+        f"POST {path} HTTP/1.1",
+        f"Host: {server.host}:{server.port}",
+        "Content-Type: application/x-www-form-urlencoded",
+        f"Content-Length: {content_length}",
+        "Connection: close",
+    ]
+    if cookie is not None:
+        headers.append(f"Cookie: {cookie}")
+    request = "\r\n".join(headers) + "\r\n\r\n" + body
+    return _raw_http_request(server.host, server.port, request)
+
+
+def _assert_status(raw_response: bytes, status_code: int) -> None:
+    status_line = raw_response.split(b"\r\n", 1)[0].decode("ascii", errors="replace")
+    assert status_line.startswith(f"HTTP/1.0 {status_code} ") or status_line.startswith(
+        f"HTTP/1.1 {status_code} "
+    ), raw_response.decode("utf-8", errors="replace")
+
+
 def test_approval_server_binds_only_to_127_0_0_1():
     server = ApprovalServer()
     server.start()
@@ -238,6 +291,99 @@ def test_approval_server_binds_only_to_127_0_0_1():
         ApprovalServer(host="0.0.0.0")
 
 
+def test_approval_server_request_threads_are_daemon(monkeypatch):
+    seen: dict[str, bool] = {}
+    original_do_get = approval_server_module._ApprovalRequestHandler.do_GET
+
+    def recording_do_get(self):
+        seen["daemon"] = threading.current_thread().daemon
+        return original_do_get(self)
+
+    monkeypatch.setattr(approval_server_module._ApprovalRequestHandler, "do_GET", recording_do_get)
+    server = ApprovalServer()
+    server.start()
+    try:
+        assert server._httpd is not None
+        assert server._httpd.daemon_threads is True
+        url = server.register(_prompt())
+        response = httpx.get(url)
+        assert response.status_code == 200
+        assert seen["daemon"] is True
+    finally:
+        server.stop()
+
+
+def _assert_invalid_content_length_rejected(content_length: str) -> None:
+    server = ApprovalServer()
+    server.start()
+    try:
+        url = server.register(_prompt())
+        with httpx.Client() as client:
+            _csrf, cookie = _get_csrf_and_cookie(client, url)
+        response = _raw_post(server, url, content_length=content_length, cookie=cookie)
+        _assert_status(response, 400)
+        assert b"invalid content length" in response
+    finally:
+        server.stop()
+
+
+def test_post_with_non_numeric_content_length_returns_400():
+    _assert_invalid_content_length_rejected("abc")
+
+
+def test_post_with_negative_content_length_returns_400():
+    _assert_invalid_content_length_rejected("-100")
+
+
+def test_post_with_oversized_content_length_returns_400():
+    _assert_invalid_content_length_rejected("99999")
+
+
+def test_post_with_valid_content_length_succeeds():
+    server = ApprovalServer()
+    server.start()
+    try:
+        url = server.register(_prompt())
+        with httpx.Client() as client:
+            csrf, cookie = _get_csrf_and_cookie(client, url)
+        body = urlencode({
+            "decision": "approve",
+            "csrf_token": csrf,
+            "approval_scope": "exact",
+        })
+        response = _raw_post(
+            server,
+            url,
+            content_length=str(len(body.encode("utf-8"))),
+            body=body,
+            cookie=cookie,
+        )
+        _assert_status(response, 200)
+        decision = server.wait_for_decision("req-1", timeout=0.1)
+        assert decision is not None
+        assert decision.decision == "approve"
+    finally:
+        server.stop()
+
+
+def test_slow_client_request_socket_timeout(monkeypatch):
+    monkeypatch.setattr(approval_server_module, "REQUEST_SOCKET_TIMEOUT_SECONDS", 0.25)
+    server = ApprovalServer()
+    server.start()
+    try:
+        with socket.create_connection((server.host, server.port), timeout=2.0) as sock:
+            sock.settimeout(2.0)
+            sock.sendall(b"GET /approval/")
+            time.sleep(0.6)
+            try:
+                data = sock.recv(1)
+            except (ConnectionResetError, TimeoutError, socket.timeout):
+                data = b""
+        assert data == b""
+    finally:
+        server.stop()
+
+
 def test_post_without_token_returns_403():
     server = ApprovalServer()
     server.start()
diff --git a/tests/test_mcp_proxy_multi_instance.py b/tests/test_mcp_proxy_multi_instance.py
